[Python-modules-team] Bug#873815: pyjwt: PyJWT vulneratibility for some keys

Leonidas S. Barbosa leo.barbosa at canonical.com
Thu Aug 31 12:35:41 UTC 2017

Package: pyjwt
Version: 1.4.2-1
Severity: important
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch

Dear Maintainer,

Upstream already fixed that issue, here is the debdiff that was applied in
order to fix this.

  * SECURITY UPDATE: symmetric/asymmetric key confusion attacks
    - debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1
      PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py,
      jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem,
      tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py.
    - CVE-2017-11424

Thanks for considering the patch.

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pyjwt_1.4.2-1ubuntu1.debdiff
Type: text/x-diff
Size: 6009 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20170831/909ff17a/attachment.diff>

More information about the Python-modules-team mailing list